A question regarding logs generated when the agent is not connected to the server

worhkdtls · March 31, 2026, 3:41am

I have a question.

Generally, when the agent is not connected to the server, we understand that the agent stores logs generated on the PC locally and then transmits them once the connection to the server is restored.

However, what I’m curious about is this:

In such a situation, is there any way to verify that not even a single log has been lost?

What I’m also curious about is whether there is any mechanism, such as a unique sequence number assigned to each log generated by the agent, that can clearly demonstrate that no logs have been lost.

In other words, is there any definitive way to prove that “none of your logs have been lost”?

If such a mechanism does not currently exist, I would also like to know if there are any plans to implement it in the future.

This is a question that frequently comes up from customers, but I find it difficult to provide a technical and professional answer to it.

As you are well aware, in the event of a security incident, even a single missing log entry can be critical. Therefore, we would like to verify and prepare for these aspects in advance.

I look forward to your professional and technical response.

Zoran · March 31, 2026, 1:20pm

Hi Kwangjae,

There is currently no built-in mechanism that can prove that zero logs were lost during a period when the agent was offline.

The agent is designed to behave consistently regardless of connectivity:

Events are captured locally in real time.
They are written to a local database on the endpoint.
If the server is reachable, logs are forwarded immediately.
If the server is not reachable, logs are retained locally and queued.
Once connectivity is restored, the backlog is transmitted to the server.

This is a store-and-forward architecture, which is standard for endpoint-based solutions.

The best way to validate behavior is through controlled testing:

Take a device offline
Generate a known number of events
Reconnect and compare what was ingested

This confirms that the buffering and forwarding work as expected.

Best,

Zoran

worhkdtls · April 2, 2026, 2:31am

understood. Apart from the tests you mentioned,

is it correct to assume that there are currently no plans to implement a server-side mechanism for verifying log integrity?

Zoran · April 2, 2026, 4:39am

That is correct.

Zoran · April 2, 2026, 6:52am

We’ll soon announce an Endpoint Protector webinar where we’ll also cover the roadmap for the next 12 months. There are several exciting features already in development.

Keep an eye on the community for the exact date and be sure to register once it’s announced.

Topic		Replies	Views
Access agent's log from the Change Tracker UI Ideas change-tracker , under-review , ideas	1	13	March 4, 2026
Enhanced NTP Agent Log Collection Ideas threat-prevention , under-review , ideas , threat-prevention-agents	1	32	June 20, 2025
Fetch, Sync & show past data as of custom data/time of the customer Ideas auditor , not-planned , ideas	1	42	October 21, 2025
About Audit Log Backup issue Discussions & Questions endpoint-protector , audit-log-backup	0	35	March 12, 2026
Netwrix Endpoint Protector Server-Side Support Policy Show & Tell endpoint-protector , announcement	0	162	October 14, 2025

A question regarding logs generated when the agent is not connected to the server

Related topics